Document Services provide additional features related to Data Leak Prevention, by controlling attachments sent to or from your organization. They can be used to remove confidential metadata from documents, or convert documents to a different format before they are delivered to a recipient. Document Services can also be used to strip revision information from documents, including:

Document properties

Author credentials

Tracked changes

Comments

Microsoft Visual Basic for Applications macros

Most of these are never knowingly added and, more importantly, are never intended to be viewed outside an organization.

Considerations

Consider the following before configuring a definition or policy:

Documents can be automatically converted into PDF or ODF format. This reduces the potential risk of metadata access, and secures documents against any accidental or intentional changes by the recipient.

To aid in communicating with external organizations that may have different versions of Microsoft Word, policies can be created to convert Word documents into older or newer versions.

Configuring a Document Services Definition

Click on the Gateway| Policies menu item. The Gateway Policy Editor is displayed.

Click on the Definitionsbutton. A list of definition types is displayed.

Click on the Document Services definition type from the list.

Select a Folderin the navigator. A definition cannot be created in the Root folder.

Either click on the:

Definition to be changed.

New Document Definition button to create a definition.

Complete the Office Document Processing section as follows:

Field / Option

Description

Description

Enter a description for the definition.

Metadata Profile

If using the definition to strip metadata, select a Metadata Profile to apply. If you are using the definition to only convert documents, leave the profile as "None". The profile selected determines what is stripped by us when the document is processed. The default profiles provided group certain aspects that can be stripped together. Alternatively the "Custom" profile can be selected, to allow you to choose the items to be stripped from a list.

This includes only the removal of Microsoft Visual Basic for Applications macros (VBA).

Custom

You can select the stripping parameters specified in the following list:

Common Options

Template: Every document is based on a template which is accessible to the recipient. The Template option removes the template from the document.

Comments: Removes all comments from a document.

Properties: Document properties can contain a vast array of information about your organization, including the authors of documents and other sensitive information. This option strips all document properties.

VBA: Visual Basic for Applications is the coding structure behind the application, and can contain sensitive information about the document, or be used to run malicious scripts. This option strips all VBA code from the document. If VBA is used for creating forms, etc., these will also be stripped if this option is selected.

Custom XML: Documents can contain embedded XML Data, which can be used to store custom XML in documents. Mimecast supports the removal of custom XML data parts.

Microsoft Word and RTF

Track Changes: Track changes contain review information you may not want to share with recipients. This option deletes all track changes, and ensures they cannot be recovered.

Variables: Variables (document information that can be accessed using Visual Basic or a metadata viewer) may have been used in the creation of the document. These will be stripped with this option selected.

End Notes and Foot Notes: End notes and foot notes will be removed from the document by selecting this option.

Fields: Fields are commonly used in documents for entering text (e.g. date, file names) and update automatically each time the document is accessed. If selected, these are removed from the document.

Word Versions:Microsoft Word has versioning capabilities, whereby previous versions of a document can be recalled. This option strips all previous versions associated with the current document.

Ink Annotations: Ink Annotations are used when running Microsoft Word on a tablet PC, and allows mark up of a document. For example, you can add notes in the margins or circle or underline content. With this option selected, all ink annotations are removed.

Watermarks: A watermark allows you to enhance the appearance of the document by adding an image or adding text that identifies the document contents as a “Draft” or “Confidential”. These can be removed before the document is sent out.

Hidden Text:Microsoft Word allows you to hide text in a document, which doesn’t appear unless you opt to display it. Selecting this option removes hidden text. We can strip this hidden text, but cannot detect text that was hidden by other methods (e.g. white text on a white background).

Add Watermark

This option adds a watermark on each page of a Word or RTF document before it is transformed to PDF. These are the only currently supported file types. Directly adding watermarks to documents that have been transformed to PDFs is currently not supported. The text entry is limited to a maximum of 212 characters.

Document Conversion

If using the definition to convert documents, select one of the options below. If the definition's purpose is to strip metadata only, leave this option as "Do Not Convert".

PDF: Converts the document to the latest version of PDF/X or PDF/A, stripping the document of all metadata and allowing access only via a PDF reader.

ODF: ODF is an Open Document Format, allowing the document to be read by many readers.

Office Versions 97-2013: This option provides the ability to send documents in one of these Microsoft Word versions. This ensures recipients can access the document if they are using a different version of Microsoft Office., including both previous and later versions used in your environment.

Source Files

Specify what type of source document to apply the services to. If no source file types are specified, the definition won't be applied to any outgoing documents.

Complete the Action on Failed Conversion section as follows:

Field / Option

Description

Policy Action

Specify the action to be taken should conversion / processing fail. The available actions are "Allow" and "Hold for Review". All the following fields are only visible if the "Hold for Review" option is selected.

Hold Type

Restricts the view of held messages in the On Hold Message Queue. The options are:

User (default)

Moderator

Administrator.

For Data Leak Prevention (DLP) reasons a user won'tt be able to release outbound items that were placed on hold due to a Content Examination policy.

Moderator Group

Use the Lookup button to select a group of moderators who can review and action the message when placed on hold. This option is only available for User and Moderator Hold types.

Notify Group

Use the Lookup button to select a group of users to be notified when the policy is triggered.

Notify (Internal) Sender

Notifies an internal sender that the policy has been triggered.

Notify (External) Sender

Notifies an external sender that the policy has been triggered.

Notify (Internal) Recipient

Notifies an internal recipient that the policy has been triggered.

Notify (External) Recipient

Notifies an external recipient that the policy has been triggered.

Notify Overseers

Notifies the Oversight Group should a Content Overseer policy be configured for the communication pair of the message that triggered the Document Services definition.

Provide a description for the policy to allow you to easily identify it in the future.

Select Document Services Policy

Click on the Lookupbutton to select the required Document Services definition for the policy.

Complete the Emails From and Emails To sections as required:

Field / Option

Description

Addresses Based On

Specify the email address characteristics the policy is based on. This option is only available in the "Emails From" section. The options are:

Option

Description

The Return Address (Mail Envelope From)

This default setting applies the policy to the SMTP address match, based on the message's envelope or true address (i.e. the address used during SMTP transmission).

The Message From Address (Message Header From)

Applies the policy based on the masked address used in the message's header.

Both

Applies the policy based on the Mail Envelope From or the Message Header From whichever matches. If both match the specified value, the Message Header From is used.

Applies From / To

Specify the Sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific. The options are:

Option

Description

Everyone

Includes all email users (i.e. internal and external). This option is only available in the "Emails From" section.

Internal Address

Includes only internal organization addresses.

External Address

Includes only external organization addresses. This option is only available in the "Emails From" section.

Email Domain

Enables you to specify a domain name to which this policy is applied. The domain name is entered in the Specifically field.

Address Groups

Enables you to specify a directory or local group. If this option is selected, click on the Lookup button to select a group from the Profile Group field. Once a group has been selected, you can click on the Show Location field to display the group's path.

Address Attributes

Enables you to specify a predefined Attribute. The attribute is selected from the Where Attribute drop down list. Once the Attribute is specified, a value must be entered in the Is Equal To field. This can only be used if attributes are configured for user accounts.

Individual Email Address

Enables you to specify an SMTP address. The email address is entered in the Specifically field.

Use this to enable (default) or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or back date it. Should the policy's configured date range be reached, the it is automatically disabled.

Set Policy as Perpetual

Specifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.

Date Range

Specify a start and end date for the policy. This automatically deselects the "Eternal" option.

Policy Override

Select this to override the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.

Bi-Directional

If selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.

Source IP Ranges (n.n.n.n/x)

Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.